<%
=begin
apps: kafka
platforms: kubernetes, tanzu-application-catalog
id: enable_tls
title: Enable TLS
category: administration
weight: 20
highlight: 20
=end %>

The <%= variable :catalog_name, :platform %> Kafka chart supports two different formats for the TLS certificates:

* Java Key Store (JKS) format (default).
* PEM format with X.509 certificates.

Choose the TLS format to use by setting the *auth.tls.type* parameter to *jks* or *pem*.

In order to configure TLS authentication/encryption, you have three alternatives:

* Create a secret containing your own TLS certificates.
* Put your own TLS certificates inside the chart folder *files/tls*, and a secret including them will be generated. Please note this alternative requires the chart to be available locally, so you will have to clone this repository or fetch the chart before installing it.
* Use self-signed TLS certificates auto-generated by Helm during the chart installation. This is currently supported for PEM format only.

### Use your own TLS certificates

When using your own TLS certificates, the following certificates are required depending on the TLS format:

* If you are using the JKS format, a truststore (*kafka.truststore.jks*) and one keystore (*kafka.keystore.jks*) per Kafka broker in the cluster.
* If you are using the PEM format, a CA (*kafka.truststore.pem*) and one public certificate and private key (*kafka.keystore.pem* and *kafka.keystore.key*) per Kafka broker in the cluster.

> NOTE: If the JKS keystore (JKS format) or the private key (PEM format) are password protected (recommended), you will need to provide the password to get access to them. To do so, use the *auth.tls.password* parameter to provide your password.

#### Use JKS format

To configure TLS authentication with JKS format on a Kafka cluster with two Kafka brokers, use the command below to create the secret containing the TLS certificates:

    $ kubectl create secret generic kafka-tls --from-file=./kafka.truststore.jks --from-file=./kafka-0.keystore.jks --from-file=./kafka-1.keystore.jks

> NOTE: The command above assumes you already created the truststore and keystore files. A [script to help with JKS file generation](https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh) is also available.

Then, deploy the chart with inter-broker TLS authentication using the following parameters:

~~~
replicaCount=2
auth.interBrokerProtocol=tls
auth.tls.type=jks
auth.tls.existingSecret=kafka-tls
auth.tls.password=some-password
~~~

#### Use PEM format

To configure TLS authentication with PEM format on a Kafka cluster with two Kafka brokers, use the command below to create the secret containing the TLS certificates:

    $ kubectl create secret generic kafka-tls --from-file=./kafka.truststore.pem --from-file=./kafka-0.keystore.pem --from-file=./kafka-0.keystore.key --from-file=./kafka-1.keystore.pem --from-file=./kafka-1.keystore.key

Then, deploy the chart with inter-broker TLS authentication using the following parameters:

~~~
replicaCount=2
auth.interBrokerProtocol=tls
auth.tls.type=pem
auth.tls.existingSecret=kafka-tls
auth.tls.password=some-password
~~~

### Use self-signed TLS certificates

In case you want to use self-signed TLS certificates using the PEM format, set the *auth.tls.autoGenerated* parameter to *true*.

To deploy a Kafka cluster with three Kafka brokers and TLS authentication both for inter-broker and client communications, use the following parameters:

~~~
replicaCount=3
auth.clientProtocol=tls
auth.interBrokerProtocol=tls
auth.tls.type=pem
auth.tls.autoGenerated=true
~~~

### Expose metrics when TLS authentication is enabled

If you plan to expose metrics using the Kafka exporter, and you are using *sasl_tls*, *tls*, or *mtls* authentication protocols for client connections, the exporter must have the ability to validate the Kafka brokers. This is done by mounting the CA certificate, used to sign the broker certificates, in the exporter as a secret, and then setting the *metrics.kafka.certificatesSecret* parameter to point to this secret. Use the command below to create the secret containing the CA certificate:

    $ kubectl create secret generic expoter-tls --from-file=ca-file=./cacert.pem

As an alternative, you can skip TLS validation using extra flags, as shown below:

~~~
metrics.kafka.extraFlags={tls.insecure-skip-tls-verify: ""}
~~~
